Skip to main content

Release Notes

0.3.0

New Features — optional hooks

Six new opt-in scanning surfaces, installed with prisma-airs-hooks install --optional <names|all> (default install is unchanged):

  • beforeShellExecution (can block) — scans shell command text as tool_event before execution; enforce-mode block denies the command.

  • afterShellExecution (observe) — scans terminal output for DLP (leaked credentials, env dumps).

  • beforeReadFile (can block) — DLP-scans full file contents before the Agent reads them into model context.

  • beforeTabFileRead (can block) — same DLP gate for Tab inline completions; first AIRS coverage of the Tab surface.

  • subagentStart (can block) — scans subagent task text for prompt injection before the subagent spawns.

  • afterMCPExecution (observe) — scans MCP tool input + full result JSON after execution.

  • MCP output sanitization — new sanitize_mcp_output config flag (default false): in enforce mode, postToolUse replaces flagged MCP tool output with a redaction notice via Cursor's updated_mcp_tool_output, so flagged content never reaches the model.

Improvements

  • Data-driven hook registry drives install/uninstall/verify scripts; verify-hooks reports optional hooks without failing when absent.
  • beforeShellExecution, afterShellExecution, and beforeReadFile also run in Cursor cloud agents, extending AIRS coverage there.

See Optional Hooks for details.


0.2.2

Fixes

  • PRISMA_AIRS_PROFILE_NAME — single env var to set the AIRS security profile for all scan directions (prompt, response, tool). Per-direction vars (PRISMA_AIRS_PROMPT_PROFILE, PRISMA_AIRS_RESPONSE_PROFILE, PRISMA_AIRS_TOOL_PROFILE) still work as overrides.
  • session_id — all scans send session_id (<email>:<YYYY-MM-DD>) to Prisma AIRS, binding a user's prompts, responses, and tool calls into a single daily session.
  • Log path~ in logging.path is now resolved to the home directory at runtime. Default template changed to ~/.cursor/hooks/airs-scan.log.

0.2.0

Breaking Changes

  • Environment variable rename: All AIRS_* variables renamed to PRISMA_AIRS_*. See migration guide below.

New Features

  • beforeMCPExecution hook — scans MCP tool inputs before execution via AIRS tool_event content type. Can block tool calls flagged for prompt injection, malicious parameters, etc.
  • postToolUse hook — scans MCP, Shell, Write, and Edit tool outputs for DLP, malicious code, and other violations. Observe-only (audit and logging).
  • Per-direction profiles — new profiles.tool for MCP/tool scanning alongside existing profiles.prompt and profiles.response.
  • Configurable content limitscontent_limits.max_scan_bytes (skip threshold, default 50KB) and content_limits.truncate_bytes (truncation, default 20KB) applied to all scan paths.

Migration

Replace in your shell profile:

  • AIRS_API_KEYPRISMA_AIRS_API_KEY
  • AIRS_API_ENDPOINTPRISMA_AIRS_API_ENDPOINT
  • AIRS_PROMPT_PROFILE / AIRS_RESPONSE_PROFILEPRISMA_AIRS_PROFILE_NAME (single var for all directions, or use per-direction PRISMA_AIRS_PROMPT_PROFILE / PRISMA_AIRS_RESPONSE_PROFILE / PRISMA_AIRS_TOOL_PROFILE overrides)

Then reinstall hooks: prisma-airs-hooks install --global


0.1.0 (2026-03-17)

Initial release.

Features

  • Prompt scanning via beforeSubmitPrompt Cursor hook
  • Response scanning via afterAgentResponse Cursor hook with code extraction
  • Three modes: observe, enforce, bypass
  • Six detection services: prompt injection, DLP, toxicity, malicious code, URL categorization, custom topics
  • Per-service enforcement: block, mask, or allow independently
  • Fail-open design: never blocks on infrastructure failures
  • Circuit breaker: automatic bypass after consecutive API failures
  • DLP masking: replace sensitive content instead of blocking
  • Code extraction: fenced, indented, and heuristic detection
  • Structured logging: JSON Lines with automatic rotation at 10MB
  • Stats CLI: scan totals, block rates, latency percentiles
  • Global hook installation: --global flag for all Cursor workspaces
  • Precompiled JS: ~800ms cold start vs ~2.5s with tsx
  • Environment variable defaults: only AIRS_API_KEY required
  • 66 tests across 9 suites including compiled JS integration tests

Built On

  • @cdot65/prisma-airs-sdk for AIRS API communication
  • TypeScript 5.x with strict mode
  • Node.js 18+ (native fetch)
  • Vitest for testing